Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"
concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

I'm particularly disturbed at how pervasive the use of "axe" in place of "ask" has become in this country. People who use "axe" for "ask" will be the first up against the wall when *my* revolution comes.

I don't think you can "understand" grammar (*) any more than you can "understand" vocabulary, as in why the sequence D-O-G represents a cute fluffy animal that barks and the sequence C-A-T represents a cute fluffy animal that meows. Grammar simply IS what it is, and sometimes it changes to something else, just like vocabulary. Wait a century and watch "whom" sink into oblivion.

I think "understand" makes sense in this context. You are arguing that spelling, or perhaps definition, is simply memorisation. In this reductive sense everything, like the rules of physics, is simply memorised rather than understood. Grammar, though, requires a deeper knowledge of language concepts (in this case subject and object pronouns) and context than spelling or noun definition.

You are probably correct about "whom" disappearing - it's almost unused in common language already. English seems to be

You are arguing that spelling, or perhaps definition, is simply memorisation.

In any language, some aspects are governed by universal rules and the rest is purely incidental. Not surprisingly, a large part of what we call grammar is incidental. There's no reason, for example, for English to have exactly three verb tenses (for a certain value of "verb tense") referring to past events, having the precise semantic nuances they have in modern English. (For a more academic value of "verb tense", English only has two verb tenses, the past one and the inde

I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

I’m not so sure about that, y’know. It would likely have been discovered by now.
I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

I almost feel sorry for them discovering this just after they discontinued Microsoft Messenger and moved people on to Skype. To be fair I expect this hole existed when they brought Skype.

I’m not so sure about that, y’know. It would likely have been discovered by now.

I expect it’s a side effect of the migration of MSN users to Skype as it likely requires changes to both Skype and its backend.

It's not new. I have an email address that people assume doesn't exist and rt they sign up for things all the time. About two years ago, I received a password reset mail from Skype. When I went to reset it (as I do with every random account people sign up for with my email), they gave me the option to reset about a half dozen accounts. I now maintain a list of burner Skype accounts that had previously used my address.

Fun fact: you are limited to 4 successful resets, per email address, per day.

That doesn't seem likely. In fact, I think this is a side effect of Microsoft preparing to integrate the 100 million msn messenger users into Skype. Somebody has been trying to ensure that the accounts will overlap nicely and has obviously made a huge mistake which allows this to happen.

If I understand this "security hole" correctly.. and they have already popped the data to let you know the email is taken.. isn't it pretty much close to nobrainer not to go ahead with that insert query? I may be a simple caveman.. but cmon.. even in my worst spaghetti code this is solidly on the durr side of Hurr-Durrrr

That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

Now if you were just signed up with some random guy's email, it wouldn't be such a big deal, but the BIG security issue here is that for whatever reason Skype will send the password reset message to the random guy's email AND any Skype client associated with the email, and then almost worse, let you pick which account on the email to reset.

If the password reset message was just sent to the email, it would be fine, but sending it to an account that doesn't have a verified email is an issue.

So, it appears that Friendster still exists, and that it's quite popular in Southeast Asia. I have a domain that is apparently a natural one to use by teenage girls in Indonesia when creating their Friendster accounts. I have received many, many notification emails associated with these accounts, after which I request a password reset, receive the email, then log in and lock the account down, typically with a "HURR DURR I DON'T KNOW WHAT EMAIL IS" type status message. Is this

That part actually makes sense. Skype allows you have have multiple accounts tied to the same email (some people might use that to separate contacts but maintain the same email). To make it easy to use, you don't have to verify the email belongs to you, but email is really only for password resets so it's not a big deal if you put a bogus email in.

How about this for a simple fix to still allow this multi-account feature: people can create as many accounts as they want to with the same email address, but in order to do that they need to be logged in to one of their existing accounts. You don't get to just sign up with a new account anonymously and use whatever email address is already linked to an account.

I have multiple skype accounts created on the same email address (for different people, however) and it does not allow one to login as the other. It's possible to password-reset any of them independently.

If dalias is correct in saying that the accounts using the same email address are independent, and that it follows that an account cannot be hijacked, then all that's really happening is a new account is created with an incorrect email address. The failure in this case would be in accepting this submission to slashdot.

Statistically speaking, you seem correct. Consider the brute-force possibilities of all those many millions of Skype users, some with dubious motivations, and how many of them must have tried this at least once and paid attention?

Or, maybe they did, and just kept quiet about it?

And profited?

Think about the billions.

Skype was never exactly motivated to further innovate, or engineer to a higher level; possibly with security enhancements. Skype has always been about the numbers. The numbers also indicate someo

It's password reset token notification with link (like this [imgur.com]) that appeared in Skype clients of anyone who has this email set as primary. When you click that link it led to password reset page with a dropdown box listing all accounts registered with this email and "reset password" button.

The problem is that they don't require verification when setting a primary email.

Microsoft also has issues with Xbox Live although not close to as bad. Some guy when he bought Xbox Live Gold accidentally entered my email address which has linked his 5 year account to my email. Last weekend I bought a game on steam which requires Games for Windows Marketplace. Since I had to have an account to play the game I entered my email and it said I already had an account so I did a password reset. This other guy has now lost his Xbox Live Gold account with 7 months left already paid for and s

Well i would imagine the guy is freaking out and messaging him asking for his account back. But if not he could google the Gamertag, the guy probably posted it on a forum or something which will allow for finding some form of contact.

and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)"

Right, and then what? You seem to have missed the entire rest of the process where you actually carry out the password reset trick. Make me read the bloody article indeed...

The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

Skype has also been plagued with billing issues. I had a subscription years ago, that bank card is now expired. I cancelled the subscription, years ago.. as soon as Microsoft bought Skype, I started getting emails saying my card was declined, with no recourse, no way to cancel the subscription they tried to start up on me again...